UQ13A Posted December 22, 2009 Share Posted December 22, 2009 Hi i have a problem here. What i have is a ticket support system and i am stuck. Well what i want is to stop people from changing the id to view other tickets eg ticket.php?id=7 to ticket.php?id=1 <?php $username = $_SESSION['username']; $id = $_GET['id']; if($_GET['id'] == "$id") { $query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id'"); $result = mysql_query($query); $numResults = mysql_num_rows($result); while($row = mysql_fetch_array($result)) { $ticketID = $row['ticketID']; $problem = $row['message']; $time_replied = $row['time']; $status = $row['status_code']; $by = $row['by']; $submiter = $row['submiter']; if ($status == 1) { $stats = "This ticket is still <font color=00FF00><strong>Open</strong></font>"; } elseif ($status == 2) { $stats = "This ticket has been <font color=FF6600><strong>forwarded to the admin</strong></font>"; } elseif ($status == 3) { $stats = "This ticket has been <font color=FF0000><strong>closed</strong></font>"; } else { $stats = "<font color=FF0000><strong>Error/Deleted</strong></font>"; } ?> <a href="SupportDesk.php">Return to Support</a><br /><br /> <table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF"> <tr> <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br> <img src="Images/support/mod.gif" width="50" height="50"><br> <i><?php echo $time_replied ?></i></div></td> <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br /> <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td> </tr> </table> <br /><br /> <?php $i++; } } else { print "This is not your ticket!"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/ Share on other sites More sharing options...
teynon Posted December 22, 2009 Share Posted December 22, 2009 Only way is to require a login or use POST but they can still manipulate post data Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982534 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 Only way is to require a login or use POST but they can still manipulate post data I use sessions i check if the user is loggedin then they are shown this page i also tried this mysql query, but only the person who submitted it could see <?php $query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982539 Share on other sites More sharing options...
teynon Posted December 22, 2009 Share Posted December 22, 2009 You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982551 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket. How would i go about doin that? Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982552 Share on other sites More sharing options...
mrMarcus Posted December 22, 2009 Share Posted December 22, 2009 you want to prevent them from viewing other people's tickets, or just their own? and this line does nothing: $id = $_GET['id']; if($_GET['id'] == "$id") { //the same as checking if 1=1, or elephant=elephant, or false=false, etc; Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982556 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 you want to prevent them from viewing other people's tickets, or just their own? and this line does nothing: $id = $_GET['id']; if($_GET['id'] == "$id") { //the same as checking if 1=1, or elephant=elephant, or false=false, etc; i want to prevent them from viewing other people's tickets Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982559 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982645 Share on other sites More sharing options...
Eiolon Posted December 22, 2009 Share Posted December 22, 2009 Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0. Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982649 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0. Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table. i sort of get what you mean about the permissions Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982652 Share on other sites More sharing options...
mrMarcus Posted December 22, 2009 Share Posted December 22, 2009 what was wrong with your query? $query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; this is the track you must take. it's how you allow certain users to view certain content. you said, "but only the person who submitted it could see" .. isn't that the point? Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982665 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 what was wrong with your query? $query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; this is the track you must take. it's how you allow certain users to view certain content. you said, "but only the person who submitted it could see" .. isn't that the point? Yes but i want moderators and only moderators to look at the tickets and answer them its a help desk/support system Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982667 Share on other sites More sharing options...
mrMarcus Posted December 22, 2009 Share Posted December 22, 2009 what was wrong with your query? $query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; this is the track you must take. it's how you allow certain users to view certain content. you said, "but only the person who submitted it could see" .. isn't that the point? Yes but i want moderators and only moderators to look at the tickets and answer them its a help desk/support system i understand what it is as your title says it all. however, it's just now that you are starting to shed some more light on the usage of this system. why is that? the more people have to guess, the longer it will take for you to be helped. to clarify your issue. you want only moderators and the respective user to be able to view a certain ticket. for example, John creates a ticket. the ticket is #347. now you want only John AND any moderator to be able to view ticket #347, correct? simple, create a permissions table to moderators with an option being whether they can view tickets or not (`view_tickets` = 1 or 0 in db permissions table), and follow the same condition within the sql query as you already have, except now you'll add the permissions to the mix. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982676 Share on other sites More sharing options...
teynon Posted December 22, 2009 Share Posted December 22, 2009 I keep having to quote myself... You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket. The user has to be an administrator or the person who created the ticket. You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.) Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982682 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 I keep having to quote myself... You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket. The user has to be an administrator or the person who created the ticket. You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.) Pay you, would a packet of Skittles do i use this if ($user[user_level]>="2") { were 2 is moderators level Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982686 Share on other sites More sharing options...
teynon Posted December 22, 2009 Share Posted December 22, 2009 Ok, so combine the two statements. $sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; if ((@mysql_num_rows(@mysql_query($sql)) > 0) && ($user[user_level]>="2")) { Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982689 Share on other sites More sharing options...
UQ13A Posted December 22, 2009 Author Share Posted December 22, 2009 Ok, so combine the two statements. $sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; if ((@mysql_num_rows(@mysql_query($sql)) > 0) && ($user[user_level]>="2")) { I'll take a look tomarrow thanks Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982699 Share on other sites More sharing options...
teynon Posted December 22, 2009 Share Posted December 22, 2009 Oops, use OR: if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) { Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-982702 Share on other sites More sharing options...
UQ13A Posted December 23, 2009 Author Share Posted December 23, 2009 Oops, use OR: if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) { Thanks i replaced the query with this. It all works now. Except this; Moderators are only shown the reply box and not the information about the ticket. i have attached to picture's below [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983060 Share on other sites More sharing options...
UQ13A Posted December 23, 2009 Author Share Posted December 23, 2009 Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983085 Share on other sites More sharing options...
mrMarcus Posted December 23, 2009 Share Posted December 23, 2009 show your revised code. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983091 Share on other sites More sharing options...
UQ13A Posted December 23, 2009 Author Share Posted December 23, 2009 show your revised code. Here it is <?php $username = $_SESSION['username']; $id = $_GET['view']; if (isset($_GET['view'])) { $level = "SELECT * FROM `users` WHERE name = '$username'" or die(mysql_error()); $get = mysql_query($level) or die(mysql_error()); $user = mysql_fetch_array($get); $sql = "SELECT * FROM `Replys` WHERE `ticketID` = '$id' AND `submiter` = '$username'"; if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) { $result = mysql_query($sql); print "<a href=\"Support.php\">Return to Support</a><br /><br />"; while($row = mysql_fetch_array($result)) { $ticketID = $row['ticketID']; $problem = $row['message']; $time_replied = $row['time']; $status = $row['status_code']; $by = $row['by']; $submiter = $row['submiter']; if ($status == 1) { $stats = "This ticket is still <font color=\"00FF00\"><strong>Open</strong></font>"; } elseif ($status == 2) { $stats = "This ticket has been <font color=\"FF6600\"><strong>forwarded to the admin</strong></font>"; } elseif ($status == 3) { $stats = "This ticket has been <font color=\"FF0000\"><strong>closed</strong></font>"; } else { $stats = "<font color=\"FF0000\"><strong>Error/Deleted</strong></font>"; } ?> <br /> <table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF"> <tr> <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=../loggedin54782/profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br> <img src="Images/support/mod.gif" width="50" height="50"><br> <i><?php echo $time_replied ?></i></div></td> <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br /> <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td> </tr> </table><br /><br /> <?php $i++; } ?> Add reply form below<br /> <form action="" method="post" name="addreply" id="addreply"> <br /> Reply below... Before forwarding to the admin(s) please ask the user for<br /> more information regarding their ticket!<br /> <textarea name="message" id="message" cols="60" rows="5"></textarea> <br /><br /> <input type="submit" name="Close" id="Close" value="Reply + Close" /> <input type="submit" name="Forward" id="Forward" value="Reply + Forward" /> <input type="submit" name="Add-Reply" id="Add-Reply" value="Add Reply" /> </form> <?php } } else { print "This is not your ticket!"; } ?> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983098 Share on other sites More sharing options...
mrMarcus Posted December 23, 2009 Share Posted December 23, 2009 the query holding the message is not returning results as the moderators username is not attached to the user's ticket. $sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; `submitter` does NOT equal 'moderator'. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983106 Share on other sites More sharing options...
UQ13A Posted December 23, 2009 Author Share Posted December 23, 2009 the query holding the message is not returning results as the moderators username is not attached to the user's ticket. $sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; `submitter` does NOT equal 'moderator'. I have removed .... `submitter` = '$username' it works but like before all users can view the ticket information :S even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here) and thats what i want to stop others doing Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983111 Share on other sites More sharing options...
mrMarcus Posted December 23, 2009 Share Posted December 23, 2009 the query holding the message is not returning results as the moderators username is not attached to the user's ticket. $sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` = '$username'"; `submitter` does NOT equal 'moderator'. I have removed .... `submitter` = '$username' it works but like before all users can view the ticket information :S even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here) and thats what i want to stop others doing i know. i was just letting you know that that's why your mod's weren't getting the desired information. now you need to work it out where the mod's have global access to the users table. Quote Link to comment https://forums.phpfreaks.com/topic/186055-support-ticket-system/#findComment-983116 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.